How do you protect against SQL injection when using whereRaw? #716

damiencamilleri · 2024-04-09T05:42:07Z

damiencamilleri
Apr 9, 2024

What is the correct way to protect against SQL injection when using whereRaw? From the syntax in the documentation, new Query("Posts").WhereRaw("lower(Title) = ?", "sql"); , I would have expected escaping/handling/paramaterization of the value using the placeholder '?'; However, I believe this is just still string concatenated formation of the query and offers no protection?

Any advise?

ahmad-moussawi · 2024-04-09T10:47:21Z

ahmad-moussawi
Apr 9, 2024
Maintainer

The ? placeholders will be converted to params binding,
There is no string concatenation here.

make sure you are using the SqlResult.Sql and SqlResult.Bindings to execute your query (or use the SqlKata.Execution package)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

How do you protect against SQL injection when using whereRaw? #716

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

How do you protect against SQL injection when using whereRaw? #716

Uh oh!

damiencamilleri Apr 9, 2024

Replies: 1 comment

Uh oh!

ahmad-moussawi Apr 9, 2024 Maintainer

damiencamilleri
Apr 9, 2024

ahmad-moussawi
Apr 9, 2024
Maintainer